[CentOS] Postfix setup

Mon Mar 11 10:35:52 UTC 2013
Robert Moskowitz <rgm at htt-consult.com>

On 03/11/2013 05:27 AM, Eero Volotinen wrote:
> 2013/3/11 Robert Moskowitz <rgm at htt-consult.com>:
>> On 03/11/2013 05:08 AM, Eero Volotinen wrote:
>>>>>      - Firewall and SELinux should be disabled.
>>>> Bad advice.
>>> this page also configures unsafe imap and pop settings. People should
>>> always enable only ssl-enabled versions of imap and pop only.
>>
>> Just don't open those ports.  Then they only work locally.  For imap, that
>> works well with the local imap webmail software.
>>
>> Why should a local squirelmail or roundcube server have to go through SSL to
>> the local dovecot server?
> why not? it is always wise to use encrypted protocols, when possible.

If the system is so hacked that there is a risk of snooping on 
localhost, you have larger issues.

And I develop cryptographic protocols.  RIght now I am off to the IETF 
meeting.  I understand what encrypted protocols give and what they 
don't.  In this case, the user is validating the webmail cert for their 
TLS connection to webmail.  They don't even see the dovecot cert.  maybe 
it is the same cert or maybe not.  But the point is it never gets to the 
user domain for validation.

Further, it may well be the case that webmail uses a single TLS channel 
to dovecot for all users?  Would have to look into that.